Add: Denormalization: delete ace attributeTypeId, add attribute_type_name

app/alembic/versions/1b71cafba681_replace_attributeTypeId.py

@@ -0,0 +1,88 @@
+"""Delete attributeTypeId add attribute_type_name from AccessControlEntries.
+
+Revision ID: 1b71cafba681
+Revises: 708b01eaf025
+Create Date: 2026-03-24 16:28:49.116712
+
+"""
+
+import sqlalchemy as sa
+from alembic import op
+from dishka import AsyncContainer
+
+# revision identifiers, used by Alembic.
+revision: None | str = "1b71cafba681"
+down_revision: None | str = "708b01eaf025"
+branch_labels: None | list[str] = None
+depends_on: None | list[str] = None
+
+
+def upgrade(container: AsyncContainer) -> None:
+    """Upgrade."""
+    op.add_column(
+        "AccessControlEntries",
+        sa.Column("attribute_type_name", sa.String(), nullable=True),
+    )
+    op.execute(
+        sa.text(
+            """
+            UPDATE "AccessControlEntries" AS ace
+            SET attribute_type_name = directory.name
+            FROM "Directory" AS directory
+            WHERE ace."attributeTypeId" = directory.id
+            """,
+        ),
+    )
+
+    # op.drop_index(
+    #     op.f("idx_ace_attribute_type_id"),
+    #     table_name="AccessControlEntries",
+    #     postgresql_using="hash",
+    # )
+    # op.drop_constraint(
+    #     op.f("AccessControlEntries_directoryAttributeTypeId_fkey"),
+    #     "AccessControlEntries",
+    #     type_="foreignkey",
+    # )
+    # op.drop_column("AccessControlEntries", "attributeTypeId")
+
+
+def downgrade(container: AsyncContainer) -> None:
+    """Downgrade."""
+    # op.add_column(
+    #     "AccessControlEntries",
+    #     sa.Column(
+    #         "attributeTypeId",
+    #         sa.INTEGER(),
+    #         autoincrement=False,
+    #         nullable=True,
+    #     ),
+    # )
+
+    op.execute(
+        sa.text(
+            """
+            UPDATE "AccessControlEntries" AS ace
+            SET "attributeTypeId" = directory.id
+            FROM "Directory" AS directory
+            WHERE ace.attribute_type_name = directory.name
+            """,
+        ),
+    )
+
+    # op.create_foreign_key(
+    #     op.f("AccessControlEntries_directoryAttributeTypeId_fkey"),
+    #     "AccessControlEntries",
+    #     "Directory",
+    #     ["attributeTypeId"],
+    #     ["id"],
+    #     ondelete="CASCADE",
+    # )
+    # op.create_index(
+    #     op.f("idx_ace_attribute_type_id"),
+    #     "AccessControlEntries",
+    #     ["attributeTypeId"],
+    #     unique=False,
+    #     postgresql_using="hash",
+    # )
+    op.drop_column("AccessControlEntries", "attribute_type_name")

app/entities.py

@@ -371,6 +371,7 @@ class AccessControlEntry:
     depth: int | None = None
     path: str = ""
     attribute_type_id: int | None = None
+    attribute_type_name: str | None = None
     entity_type_id: int | None = None
     is_allow: bool = False
 
@@ -390,12 +391,6 @@ class AccessControlEntry:
         repr=False,
     )
 
-    @property
-    def attribute_type_name(self) -> str | None:
-        return (
-            self.attribute_type.name.lower() if self.attribute_type else None
-        )
-
     @property
     def entity_type_name(self) -> str | None:
         return self.entity_type.name if self.entity_type else None

app/ldap_protocol/ldap_requests/modify.py

@@ -183,7 +183,6 @@ async def handle(
             user_role_ids=ctx.ldap_session.user.role_ids,
             query=query,
             ace_types=[AceType.WRITE, AceType.DELETE],
-            load_attribute_type=True,
         )
 
         directory = await ctx.session.scalar(query)

app/ldap_protocol/ldap_requests/modify_dn.py

@@ -211,7 +211,6 @@ async def handle(  # noqa: C901
             user_role_ids=ctx.ldap_session.user.role_ids,
             query=query,
             ace_types=[AceType.DELETE, AceType.WRITE],
-            load_attribute_type=True,
         )
 
         directory = await ctx.session.scalar(query)
@@ -274,7 +273,7 @@ async def handle(  # noqa: C901
                 for ace in directory.access_control_entries
                 if (
                     ace.ace_type == AceType.DELETE
-                    and ace.attribute_type is None
+                    and ace.attribute_type_name is None
                 )
             ]
 

app/ldap_protocol/ldap_requests/search.py

@@ -408,7 +408,6 @@ def _build_query(
             user_role_ids=user.role_ids,
             query=query,
             ace_types=[AceType.READ],
-            load_attribute_type=True,
         )
 
         for base_directory in base_directories:

app/ldap_protocol/roles/access_manager.py

@@ -54,16 +54,16 @@ def _check_search_access(
             return False, set(), set()
 
         for ace in aces:
-            if not ace.is_allow and ace.attribute_type_id is None:
+            if not ace.is_allow and ace.attribute_type_name is None:
                 if allowed_attributes:
                     return True, set(), allowed_attributes
                 else:
                     return False, set(), set()
 
-            elif not ace.is_allow and ace.attribute_type_id is not None:
-                forbidden_attributes.add(ace.attribute_type_name)  # type: ignore
+            elif not ace.is_allow and ace.attribute_type_name is not None:
+                forbidden_attributes.add(ace.attribute_type_name)
 
-            elif ace.is_allow and ace.attribute_type_id is None:
+            elif ace.is_allow and ace.attribute_type_name is None:
                 return True, forbidden_attributes, set()
 
             else:
@@ -172,7 +172,7 @@ def _check_modify_access(
                 ace.ace_type == ace_type
                 and not ace.is_allow
                 and (
-                    ace.attribute_type_id is None
+                    ace.attribute_type_name is None
                     or attr_name == ace.attribute_type_name
                 )
             ):
@@ -181,7 +181,7 @@ def _check_modify_access(
                 ace.ace_type == ace_type
                 and ace.is_allow
                 and (
-                    ace.attribute_type_id is None
+                    ace.attribute_type_name is None
                     or attr_name == ace.attribute_type_name
                 )
             ):
@@ -271,7 +271,7 @@ def _extend_user_self_read_ace(
             scope=RoleScope.BASE_OBJECT,
             is_allow=True,
             entity_type_id=None,
-            attribute_type_id=None,
+            attribute_type_name=None,
         )
 
         if not aces:
@@ -291,7 +291,6 @@ def mutate_query_with_ace_load(
         user_role_ids: list[int],
         query: Select[tuple[Directory]],
         ace_types: list[AceType],
-        load_attribute_type: bool = False,
         require_attribute_type_null: bool = False,
     ) -> Select[tuple[Directory]]:
         """Mutate query to load access control entries.
@@ -312,13 +311,6 @@ def mutate_query_with_ace_load(
             base_loader.joinedload(qa(AccessControlEntry.entity_type)),
         ]
 
-        if load_attribute_type:
-            loader_options.append(
-                base_loader.joinedload(
-                    qa(AccessControlEntry.attribute_type),
-                ),
-            )
-
         criteria_conditions = [
             qa(AccessControlEntry.role_id).in_(user_role_ids),
         ]
@@ -334,7 +326,7 @@ def mutate_query_with_ace_load(
 
         if require_attribute_type_null:
             criteria_conditions.append(
-                qa(AccessControlEntry.attribute_type_id).is_(None),
+                qa(AccessControlEntry.attribute_type_name).is_(None),
             )
 
         return query.options(

app/ldap_protocol/roles/ace_dao.py

@@ -66,7 +66,6 @@ async def _get_raw(self, _id: int) -> AccessControlEntry:
         query = (
             select(AccessControlEntry)
             .options(
-                joinedload(qa(AccessControlEntry.attribute_type)),
                 joinedload(qa(AccessControlEntry.entity_type)),
                 joinedload(qa(AccessControlEntry.role)),
                 selectinload(qa(AccessControlEntry.directories)),
@@ -96,7 +95,6 @@ async def get_all(self) -> list[AccessControlEntryDTO]:
         access_control_entries = (
             await self._session.scalars(
                 select(AccessControlEntry).options(
-                    joinedload(qa(AccessControlEntry.attribute_type)),
                     joinedload(qa(AccessControlEntry.entity_type)),
                     joinedload(qa(AccessControlEntry.role)),
                 ),
@@ -172,7 +170,7 @@ async def create(self, dto: AccessControlEntryDTO) -> None:
             path=dto.base_dn,
             scope=RoleScope(dto.scope.value),
             entity_type_id=dto.entity_type_id,
-            attribute_type_id=dto.attribute_type_id,
+            attribute_type_name=dto.attribute_type_name,
             is_allow=dto.is_allow,
             directories=directories,
         )
@@ -214,7 +212,7 @@ async def create_bulk(self, dtos: list[AccessControlEntryDTO]) -> None:
                 path=ace.base_dn,
                 scope=RoleScope(ace.scope.value),
                 entity_type_id=ace.entity_type_id,
-                attribute_type_id=ace.attribute_type_id,
+                attribute_type_name=ace.attribute_type_name,
                 is_allow=ace.is_allow,
                 directories=directory_cache[cache_key],
             )
@@ -240,7 +238,7 @@ async def update(self, _id: int, dto: AccessControlEntryDTO) -> None:
         ace.role_id = dto.role_id
         ace.ace_type = dto.ace_type
         ace.entity_type_id = dto.entity_type_id
-        ace.attribute_type_id = dto.attribute_type_id
+        ace.attribute_type_name = dto.attribute_type_name
         ace.is_allow = dto.is_allow
 
         if dto.scope != ace.scope or dto.base_dn != ace.path:

app/ldap_protocol/roles/dataclasses.py

@@ -20,7 +20,7 @@ class AccessControlEntryDTO:
     scope: RoleScope
     base_dn: GRANT_DN_STRING
     is_allow: bool
-    attribute_type_id: int | None
+    attribute_type_name: str | None
     entity_type_id: int | None
 
     id: int | None = None

app/ldap_protocol/roles/migrations_ace_dao.py

@@ -63,10 +63,10 @@ async def _get_all_raw_aces_legacy(self) -> Sequence[Row[tuple[int, str]]]:
             select(qa(AccessControlEntry.id), qa(AttributeTypeLegacy.name))
             .join(
                 AttributeTypeLegacy,
-                qa(AccessControlEntry.attribute_type_id)
-                == qa(AttributeTypeLegacy.id),
+                qa(AccessControlEntry.attribute_type_name)
+                == qa(AttributeTypeLegacy.name),
             )
-            .where(qa(AccessControlEntry.attribute_type_id).is_not(None)),
+            .where(qa(AccessControlEntry.attribute_type_name).is_not(None)),
         )
         return ace_rows_q.all()
 
@@ -102,13 +102,14 @@ async def _get_all_raw_aces(self) -> Sequence[Row[tuple[int, str]]]:
             select(qa(AccessControlEntry.id), qa(Directory.name))
             .join(
                 Directory,
-                qa(AccessControlEntry.attribute_type_id) == qa(Directory.id),
+                qa(AccessControlEntry.attribute_type_name)
+                == qa(Directory.name),
             )
             .join(
                 EntityType,
                 qa(EntityType.id) == qa(Directory.entity_type_id),
             )
             .where(qa(EntityType.name) == EntityTypeNames.ATTRIBUTE_TYPE)
-            .where(qa(AccessControlEntry.attribute_type_id).is_not(None)),
+            .where(qa(AccessControlEntry.attribute_type_name).is_not(None)),
         )
         return ace_rows_q.all()

app/ldap_protocol/roles/role_dao.py

@@ -75,7 +75,6 @@ async def _get_raw(self, _id: int) -> Role:
                     qa(Group.directory),
                 ),
                 selectinload(qa(Role.access_control_entries)).options(
-                    joinedload(qa(AccessControlEntry.attribute_type)),
                     joinedload(qa(AccessControlEntry.entity_type)),
                     joinedload(qa(AccessControlEntry.role)),
                 ),
@@ -108,7 +107,6 @@ async def get_by_name(self, role_name: str) -> RoleDTO:
                     qa(Group.directory),
                 ),
                 selectinload(qa(Role.access_control_entries)).options(
-                    joinedload(qa(AccessControlEntry.attribute_type)),
                     joinedload(qa(AccessControlEntry.entity_type)),
                     joinedload(qa(AccessControlEntry.role)),
                 ),

app/ldap_protocol/roles/role_use_case.py

@@ -184,7 +184,7 @@ async def create_read_only_role(self) -> None:
             ace_type=AceType.READ,
             scope=RoleScope.WHOLE_SUBTREE,
             base_dn=base_dn_list[0].path_dn,
-            attribute_type_id=None,
+            attribute_type_name=None,
             entity_type_id=None,
             is_allow=True,
         )
@@ -268,7 +268,7 @@ def _get_full_access_aces(
                 ace_type=AceType.READ,
                 scope=RoleScope.WHOLE_SUBTREE,
                 base_dn=base_dn,
-                attribute_type_id=None,
+                attribute_type_name=None,
                 entity_type_id=None,
                 is_allow=True,
             ),
@@ -277,7 +277,7 @@ def _get_full_access_aces(
                 ace_type=AceType.CREATE_CHILD,
                 scope=RoleScope.WHOLE_SUBTREE,
                 base_dn=base_dn,
-                attribute_type_id=None,
+                attribute_type_name=None,
                 entity_type_id=None,
                 is_allow=True,
             ),
@@ -286,7 +286,7 @@ def _get_full_access_aces(
                 ace_type=AceType.WRITE,
                 scope=RoleScope.WHOLE_SUBTREE,
                 base_dn=base_dn,
-                attribute_type_id=None,
+                attribute_type_name=None,
                 entity_type_id=None,
                 is_allow=True,
             ),
@@ -295,7 +295,7 @@ def _get_full_access_aces(
                 ace_type=AceType.DELETE,
                 scope=RoleScope.WHOLE_SUBTREE,
                 base_dn=base_dn,
-                attribute_type_id=None,
+                attribute_type_name=None,
                 entity_type_id=None,
                 is_allow=True,
             ),

app/repo/pg/tables.py

@@ -526,6 +526,7 @@ def _compile_create_uc(
         nullable=True,
         key="attribute_type_id",
     ),
+    Column("attribute_type_name", String, nullable=False),
     Column(
         "entityTypeId",
         Integer,